Data truncation and maxlength

We recently rolled out a new website and we keep getting errors that are impossible to re-create.

Form fields throughout the application all have the maxlength attribute on them. When submitted, JavaScript double checks the length values and ColdFusion code does as well. Also, we use cfqueryparams with a maxlength as well. Low and behold, there are STILL some users generating errors saying "Data will be truncated. Length of passed string is too long."

Any ideas? I thought we covered all bases on the length of passed data yet they are still coming through.

Additionally, on these same forms, we check for empty fields as well with JavaScript as well as ColdFusion checks yet we are getting some users to submit blank and empty forms.

Naturally, when we try to recreate the errors, everything works for us. Much appreciated on any insight.

Thanks!

Without a reproducible test case it's very hard to say. I would try setting up error handling that catches errors like this and writes the contents of the form scope AND the values actually being passed to the query (in case they are somehow different) to a text file or something. That way you should be able to see exactly what the values are and test using those.

Already ahead of you. We have the application cfc set up with the onError function emailing us with all the errors. That is how we figured out that people were still passing in blank forms and such. We have fields set up and checked 3 times for say a 25 character length and we are still getting errors on strings that are around 30+. No one understands how these are getting through and we don't know what else to do to attempt to stop the errors.

Also, we have been getting some errors on empty session variables from pages that you cannot access unless you are logged in and if you are on any page in that directory, the first thing it does is check if your login session var exists or kicks you out to the login page. Again, not sure how people are getting to pages with all these checks in place. We've tried numerous ways ourselves and nothing can be re-created for us. VERY annoying.

Yeah not sure but I can tell you that I've worked on lots of CF apps that do these things (security enforced, client and server-side validation, etc.) and they do work fine. So I think it has to be something specific to your app. I know that probably doesn't help much but at least be aware that this SHOULD work, so something else must be going on.

Yea I have at least come up with that much of an answer. Almost everything we do in CF SHOULD work haha. I was just asking for anyone who may have worked with this before and had any more information to go off of. Clearly we have nothing further to help investigate and not sure which angle we might be missing. Thanks though.

Well what happens if you take the exact values used when the error happens and run your own unit test?

We can't use the exact values entered. The form fields cut the values off at the proper lengths. Try typing them in and it stops you. Try pasting them in, and it cuts it off. Not sure what the user did and how they got around that. Everything we have set up works for us and we are at a loss. Even if you turn off JS the field maxlength should still work and the CF will definitely catch it. Clueless.

Right, JavaScript can be disabled, form field max length can be disabled, and one can even submit data to a form handling page directly, without using the form. Could they be doing this somehow?

Basically I would worry less about what they are doing in the browser and more about making sure you check everything and that it all works on the server side. Client side validation is a useful way to shepherd the user but at the end of the day you must treat all user-supplied data as potentially invalid and do all definitive validation on the server. That's the case for ANY web application (CF, PHP, Flex, Rails, etc.).

We do check it on the server. I submit the forms into a CF page that handles the data and it's still erroring on the cfqueryparams when inserting into queries and such. They are somehow getting around everything!

OK then, to be clear, you're saying:

If you take the EXACT value they submitted to the server, which would also be the EXACT value actually entered into the database if the insert went through...

And feed that value to the query yourself, then it does NOT go through? It's impossible that the exact same value could both pass and fail your cfqueryparam maxLength check. So if it doesn't work for you but they can still make it go through, the only possible options are that you are not in fact using the same exact value for testing, that there is some other avenue to execute the query that you aren't using or aren't testing, or that there is a bug in cfqueryparam.

What version of CF is this?

I don't think you understand what I'm asking and/or I don't know how to word it. Thanks tho, nvm.

Sure. What I'm saying is pretty straightforward (simply testing the exact values directly against the query), so I think something is getting lost in your explanation of either what's happening or what you've done to actually test the behavior.